I have a GitHub action that runs tests in the CI on every pull request that is opened on my repo.
As part of the tests workflow, the job checkout several other repositories in the GitHub organization (all of them are private, same as my repo). Later the workflow uses the content checked out for the tests suites.
That works well on pull requests issued by our organization's contributors, but whenever this workflow runs on a PR that was issued by Dependabot - it fails as Dependabot PRs don't have the same secret access as other pull requests do.
My question is how can I provide this workflow with the capability of checking out other repos in the organization without exposing all of the secrets data to dependabot?
Thanks!
A simple solution according to GitHub is to use the same token (or different ones but with same permissions), with the same name for both Actions and Dependabot
Solution
Having generated a Personal Access Token (PAT), in your repository go to:
Settings>Secrets and variables>Actions
Repository secretes
create a secret e.g.MY_PAT
and paste the tokenSettings>Secrets and variables>Dependabot
Repository secretes
create a secret e.g.MY_PAT
and paste the token